AuthorPeter Oakes is an experienced anti-financial crime, fintech and board director professional. Archives
April 2024
Categories
All
|
Back to Blog
Central Bank of Ireland lays out its expectations of firms seeking crypto licensing in Ireland29/5/2024 If you are looking to get authorised under Markets in Crypto Asset Regulation (MiCAR) in Ireland, the Central Bank of Ireland has confirmed (or perhaps reconfirmed in some people's minds) that regulator intends to open its MiCAR authorisation gateway in early QUARTER 3 2024. While VASPs operating under the VASP regime prior to 30 December 2024, under MiCAR, will be permitted, post 30 December 2024, to avail of a transitional period enabling them to continue to operate for up to 12 months or until their CASP authorisation is granted or refused, whichever is sooner the CBI says that in respect of firms not yet registered as VASPs its experience is that period of at least ten months is required to conclude the assessment of a VASP application. The CBI says such firms should focus their efforts on preparing for a CASP application (under MiCAR) rather than seeking a VASP registration at this time. For those VASPs that have already applied for a registration but have not reached the end point of the process, the CBI will continue to assess these applications and will engage bilaterally with these firms on the progress of their applications. Following Ramp Swaps (Ireland) Limited's registration as a VASP, the latest such registration in Ireland, there are now 13 registered virtual asset service providers in Ireland and potentially a few more to come. Get in touch with CompliReg and see MiCA Ready if you are looking to get a MiCAR authorisation in Ireland or elsewhere in Europe. Firms looking to get authorised in Ireland as a CASP or registered in near future as a VASP should note the following extracts from a speech today by Gerry Cross, Director for Financial Regulation, Policy and Risk at Blockchain Ireland's excellent event this week (see link at end of article)
Source: Technological innovation and financial regulation – a maturing relationship - Remarks by Gerry Cross, Director for Financial Regulation, Policy and Risk, Wednesday 29th May 2024 Linkedin Post: https://www.linkedin.com/posts/peteroakes_micar-virtualasset-activity-7201513163152834560-N6m7
0 Comments
Read More
Back to Blog
All these issues, in themselves, are sufficient for a finding that, at the assessment interview, there was an absence of fair notice sufficient to conclude that this part of the process fell below the standard of constitutional fairness. We are unable to conclude that the decision reached was the correct and preferable decision. There were fundamental procedural flaws which were to be found at all three stages of the process. The Tribunal is satisfied that taken cumulatively – or even individually – the various procedures adopted by the Central Bank did not comply with the requirements of Constitutional and natural justice; including the necessity for fair notice; the duty to give reasons; and the observance of the principle of audi alterem partem. [Latin for "hear the other side"] Interested in the Central Bank of Ireland's internal and often called 'opaque' fitness and probity assessment process? In which case take the time to read this decision (link below) by the Irish Financial Services Appeals Tribunal - an independent body - to which appeals lay from Central Bank decisions. The Appeal involved a finding by the Central Bank that: "in its “opinion”, the Appellant was “unfit” to hold the two positions in question.". The Appellant, identified as AB, was applying for (as it was then) PCF2 (NED) and PCF3 (Chairman). While the identity of the Appellant is not made known, we know the person is male and he held "similar roles to those which he was applying for in Redhedge and other regulated entities in the same sector." The crux of the order appears at para 325 on page 79 of the decision (here): "We are unable to conclude that the decision reached was the correct and preferable decision. There were fundamental procedural flaws which were to be found at all three stages of the process. The Tribunal is satisfied that taken cumulatively – or even individually – the various procedures adopted by the Central Bank did not comply with the requirements of Constitutional and natural justice; including the necessity for fair notice; the duty to give reasons; and the observance of the principle of audi alterem partem." [[Latin for "hear the other side"] The impugned decision was one which had serious legal consequences, where fundamental legal and constitutional principles had to be applied in the course of performing the statutory functions The Central Bank called the Appellant to what is known as an “assessment interview” and then a “specific interview”. These made adverse findings. There followed a “minded to refuse” letter to the ultimate decision-maker. She largely confirmed these adverse findings and held the Respondent [i.e. the Central Bank] entitled to refuse the applications. There is a lot here for the Central Bank to consider and take stock of. And hopefully it does. While there was the appearance of fair procedure, there was an absence of its substance Summary of certain facts In summary (all the below are direct quotes from decision**):
Costs:
** to ensure that you are aware of the context from which the above quotes are extracted, do read the decision for yourself. A copy of the decision is located here Linkedin Post here. Do check out the Linkedin page as it contains lots of additional information. The Central Bank of Ireland issued a statement on its website saying:
Back to Blog
Friday 20th January 2023: Central Bank of Ireland (CBI) issued a Dear CEO letter to the fintech industries of electronic money institutions and payments institutions. The purpose is to reaffirm the CBI's supervisory expectations built on its supervisory experiences, both firm specific and sector wide, and enhance transparency around its approach to, and judgements around, regulation and supervision.
If you are looking to get authorised as an electronic money or payments institution in Ireland, contact us. We are working with a number of such applicants and we advise those already authorised on their on-going regulatory obligations, business models and strategy. See our Authorisation Page with links to useful Authorisation Guides. Busy start to the year with enquiries from UK, Asia and the US continuing to roll in about the benefits, opportunities and challenges of establishing a EEA regulated presence in Ireland, particularly for #emoney and #payments. While Ireland is in the top three of the final round, there remains stiff competition (so to speak) from two other leading jurisdictions. Thus it was good to see, , as I am sure others will agree, the Central Bank of Ireland most recent Dear CEO letter issued to emoney and payments institutions on Friday 20 January 2023 by Mary-Elizabeth McMunn, Director of Credit Institutions Supervision. It will help provide greater clarity not only to currently authorised emoney and payments firms, but also those in the authorisation pipeline and those thinking of filing in Ireland. It is a meaty document at 5,168 words across eleven (11) pages. Download a copy of the letter and additional relevant reading material here - https://complireg.com/blogs--insights/2023-dear-ceo-letter-re-supervisory-findings-and-expectations-for-payment-and-electronic-money-e-money-firms If you wish to get a quick understanding of the letter in terms of your regulatory obligations search the words 'we expect'. You will see those appear eleven (11) times too! Right now, best to mark in your calendar and work backwards, that an audit opinion on safeguarding, along with a Board response on the outcome of the audit, is to be submitted to the CBI by 31 July 2023. And it is not just a case of ringing your current external auditors and appointing them.
The purpose of the letter is to reaffirm the CBI's supervisory expectations built on its supervisory experiences, both firm specific and sector wide, and enhance transparency around our approach to, and judgements around, regulation and supervision. The breakdown of the letter is as follows: (1) Supervisory Approach for the Payment and E-Money Sector (provides wider and specific context to our supervisory approach). (2) Supervisory Findings (key findings from supervisory engagements over the last 12 months and actions the CBI expects firms to undertake) ➡ Safeguarding; ➡ Governance, Risk Management, Conduct and Culture; ➡ Business Model, Strategy and Financial Resilience; ➡ Operational Resilience and Outsourcing; ➡ Anti-Money Laundering and Countering the Financing of Terrorism;
(3) Conclusion and Actions Required (CBI's expectation that this letter is provided to and discussed with your Board, and any areas requiring improvement that directly relate to your firm are actioned). Next Steps: Get in contact with Peter Oakes / CompliReg. Founded by the CBI's inaugural Director of Enforcement and AML/CFT Supervision & board director of payments, emoney and MiFID companies. Peter is also a former: FSA (now FCA) enforcement lawyer; senior officer (legal) at ASIC; and adviser to the deputy director of banking at SAMA. Further Reading: 10 December 2021: Authorisation Guidance and Supervisory Expectations for Payment and Electronic Money Firms (Central Bank of Ireland) 09 December 2021: Central Bank of Ireland Dear CEO Letter on Supervisory Expectations for Payment and Electronic Money (E-Money) Firms
Back to Blog
“All current and potential VASP applicants should review the content of the bulletin and take actions to rectify weaknesses, as relevant. Firms undertaking VASP activities are also reminded that a failure to register may result in significant criminal and/or administrative sanctions." Central Bank of Ireland If you need assistance with your Virtual Asset Service Provider registration application, or other regulatory authorisation application such as emoney, payment services or MiFID, get in touch with Peter Oakes at CompliReg by CLICKING HERE. Read more about the Virtual Asset Service Provider registration, emoney authorisation, payment institution authorisation and MiFID authorisation CLICK HERE. Today (Monday 11 July 2022) the Central Bank of Ireland issued a press release highlighting weaknesses in Virtual Asset Service Providers’ (VASP) AML/CFT Frameworks. As of today, according to the Central Bank's website, the total number of VASPs registered in Ireland is ZERO. See image below. Question: If there are no firms appearing on the register, does that mean that there are no VASPs operating lawfully in Ireland? Answer: No. VASPs established in Ireland and carrying on business as a VASP immediately prior to the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 coming into force, who applied to the Central Bank for registration before 23 July 2021 are permitted to continue to offer VASP services pending the outcome of their application ('transitional period'). While we have heard stories of firms operating as VASPs in Ireland in circumstances where they do not fall under the transitional period, such firms should be subject - if they came to the attention of the Central Bank - to criminal and/or regulatory investigation. Accompanying today's press release is a bulletin in relation to Virtual Asset Service Providers (VASPs), seeking to assist applicant firms to strengthen both their applications for registration and their Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Frameworks. The Central Bank says while it seeks to anticipate and support innovation in the financial services industry, firms operating in novel areas must ensure their businesses will not be used to launder the proceeds of crime or to finance terrorism. The Central Bank issued the bulletin to VASPs to assist them in strengthening their applications and frameworks. Background: Since 23 April 2021, VASPs are required to comply with the relevant AML/CFT obligations under the Criminal Justice Act 2010 to 2021. Any firm wishing to conduct business as a VASP must apply to the Central Bank for registration. The Central Bank says it is currently progressing the assessment of registration applications, and has provided feedback to 90% of applicants on their proposed AML/CFT frameworks. Findings: The Central Bank identified, in the vast majority of applications:
See below for further details on the Central Bank's 'findings' observations. The Central Bank reported that the lack of compliance, coupled with control weaknesses, resulted in a significant number of the applicant firms not being able to demonstrate that they could meet their AML/CFT obligations. Actions: The Central Bank has reconfirmed that it will only register a firm when it is satisfied that the firm can meet its AML/CFT obligations on an ongoing basis. It has said that all current and potential VASP applicants should:
The Central Bank also too the opportunity to remind that:
Key Central Bank observations on registrations received and assessed to dateIncomplete Applications: A number of registration applications did not contain the required information and documentation and consequently such applications did not progress to the assessment phase.
Assessment Phase: In undertaking its assessment of registration applications, the Central Bank noted recurring fundamental issues preventing approving of registration applications as the applicants could not meet their AML/CFT legislative obligations or the Central Bank’s expectations. The Central Bank communicated its concerns and expectations to the applicants for further consideration. The Central Bank helpfully provided a couple of pages in its bulletin (pages 4 - 6) giving an overview of recurring issues identified during the assessment of VASP registration applications. These are repeated below. Money Laundering and Terrorist Financing (ML/TF) Risk Assessment: An effective AML/CFT control framework is built on an appropriate ML/TF risk assessment that focuses on the specific ML/TF risks arising from the firm’s business model. This risk assessment should drive the firm’s AML/CFT control framework such that it ensures there are robust controls in place to mitigate and manage the specific risks identified through the risk assessment. The Central Bank identified a significant number of issues with the ML/TF risk assessments conducted by VASP applicant firms, including:
Policies and Procedures: When developing AML/CFT policies, controls and procedures (“AML/CFT P&Ps”), firms should maintain a detailed documented suite of AML/CFT P&Ps, which are:
The Central Bank identified a number of recurring issues with the AML/CFT P&Ps submitted by applicant firms including;
Customer Due Diligence (“CDD”): CDD involves more than just verifying the identity of a customer. Firms should collect and assess all relevant information in order to ensure that the firm:
The Central Bank identified a number of recurring issues with the CDD AML/CFT P&Ps submitted by applicant firms including;
Financial Sanctions Screening: The Central Bank’s expectation is that firms have an effective screening system in place, appropriate to the nature, size and risk of their business. In addition to this, firms should have clear escalation procedures in place to be followed in the event of a positive match.
Outsourcing: A firm can outsource certain AML/CFT Functions, but are reminded that the firm remains ultimately responsible for compliance with its obligations under CJA 2010 to 2021. It is expected that, where firms outsource AML/CFT functions, a documented agreement is in place that clearly defines the obligations of the outsource service provider. Firms should also evidence that sufficient oversight is conducted on the outsourced activity. A number of VASP applicant firms outsource certain AML/CFT functions to group-related parties and/or non-group related parties.
Individual Questionnaires for proposed Pre-Approval Controlled Function role holders: A number of firms have failed to or delayed in submitting Individual Questionnaires (IQs) for each of their proposed Pre-Approval Controlled Function (PCF) role holders. IQs should be submitted for each individual proposed to hold a PCF role as soon as practical. The Central Bank’s expectation on a firm’s presence in Ireland. In line with the principle of territoriality enshrined in the EU AML Directives and Section 25 of the CJA 2010 to 2021, the Central Bank expects a physical presence located in Ireland and for there to be at least one employee in a senior management role located physically in Ireland, to act as the contact person for engagement with the Central Bank. In addition, in accordance with Section 106 H of the CJA 2010 to 20212 , the Central Bank may refuse an application where the applicant is so structured, or the business of the applicant is so organised, that the applicant is not capable of being regulated to the satisfaction of the Central Bank. Further Reading: Press Release - Central Bank highlights weaknesses in Virtual Asset Service Providers’ AML/CFT Frameworks 11 July 2022
Back to Blog
AIB fined €83.3mn and EBS fined €13,4mnJust shy of €100mn, a total amount of fines of €96.7mn, were imposed by the Central Bank of Ireland against AIB and EBS for regulatory breaches affecting tracker mortgage customers.
In the case of:
Both fines are net of of a settlement discount procedure scheme, otherwise AIB's fine would have stood at €119,000,000 and EBS's fine at €19,143,000. The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham said:
CBI Enforcement Publicity Statements:
Back to Blog
Not often, in fact exceptionally rare, that there is news of insider dealing cases being brought in Ireland. But that is a topic for another day.
For today (1 May 2022), a Panel of Assessors has, according to reports in both the Sunday Business Post and The Sunday Times [see links #1 & #2 below] concluded that Philip Lynch had indeed traded on insider information, but that there were mitigating factors in the case. The independent and expert panel concluded that Mr Lynch should receive a public caution, a penalty of €75,000; a disqualification for five years from being involved in any financial services provider; and that he should pay the Central Bank’s legal costs of €37,500. It is reported that Mr Lynch — who has been chief executive of two publicly listed companies in Ireland, One51 and IAWS — has accepted this outcome as punishment for contravening market abuse regulations while he was a director of C&C, which makes Bulmers cider. The case relates to a ten plus year investigation / inquiry into Mr Lynch buying 200,000 shares in C&C in 2008, when it was searching for a new chief executive. John Dunsmore, who was previously the chief executive of Scottish & Newcastle, became CEO in November 2008. The news sent shares in the company up over 26 per cent to €1.45. [see link #3 below] Last week, the Central Bank lodged High Court proceedings against the businessman as part of the enforcement process of its findings. The Central Bank issued its finding on December 22 last year and told Mr Lynch it would apply to the High Court to confirm the sanctions. The case is listed for hearing on the advance warning list under Ms Justice Mary Irvine on 23 May 2022 according to court records. Before the Panel of Assessor, the Central Bank had argued that Lynch ought to face a penalty of between €250,000 and €500,000, a public reprimand, and a period of disqualification for five years, because it argued the infringement was within the moderately serious range. The Central Bank's enforcement division argued that it was “beyond a reasonable doubt” that Mr Lynch was in possession of “inside information” when he bought shares in C&C on October 21, 2008. He was aware Dunsmore’s appointment would provide a “wow” factor in relation to the company’s share price. Lynch’s lawyers argued the sanctions were disproportionate, saying while he was aware of negotiations with Dunsmore, he was not certain of his appointment when buying the shares. His lawyers argued that there was no possibility of him making a short-term gain due to a one-year embargo on directors selling shares. Back in 2013 C&C was fined € 90,000 by the Central Bank for failing to keep up-to-date records on its “insider” list, the second time the financial regulator has taken action against a non-financial services firm. Between January 2nd, 2008 and January 29th, 2009, the Dublin- and London-listed firm was found to be in breach of the insider list requirements of the Market Abuse Directive. It failed to “regularly and promptly” update its insider list with the identity of people working for C&C who had access to inside information. It also failed to state on the list the date of each and every occasion on which it was updated. [see link #4]. If you are interested in reading about insider dealing case history in Ireland, although it is seven years old, see link #5, 'Lose lips and share flips'. Links below to source material:
Back to Blog
CompliReg is a leading provider of consultancy services to MiFID, Payments and Emoney firms. Our founder, Peter Oakes is an independent non-executive director of two Central Bank regulated MiFID firms, an emoney firm and a payments firm. Peter is a member of the Audit, Risk, Nomination, Remuneration and Internal Audit Committees of a number of firms. Read more about Peter's NED services and CompliReg's services. If below post on the marketing of complex investment products is of interest, then you should also look at our post of 1 December 2021 on the Central Bank's review findings on firms providing investment services. The Central Bank's found that there is a need to improve suitability assessments. Central Bank reviews identify issues in marketing of complex investment productsCentral Bank reviews identify issues in marketing of complex investment products
The Central Bank of Ireland has written to MiFID investment firms, outlining the findings from a series of targeted reviews of Structured Retail Products (SRPs). These reviews examined SRPs manufactured and distributed by investment firms in the MiFID investment sector. A number of areas were identified where further action is needed by firms to ensure their governance and oversight of SRPs keeps pace with an increasingly complex retail investment market, so that investors are appropriately protected. The reviews found a number of poor practices and weaknesses in firms’ processes, which increase risks to investors. This includes failure by firms to consider potential difficulties investors may have in understanding the complex features involved in some SRPs; failing to present past performance information in a fair and balanced manner; and not including prominent capital at risk warnings in marketing materials. Director of Consumer Protection, Colm Kincaid, said: “The retail investment market is changing rapidly, with an increasing shift away from traditional, capital protected products to more complex, capital at risk products. As complexity increases, so too do the risks to investors and the responsibilities regulated firms have to protect those investors’ best interests. Our recently published Outlook Report highlighted a number of risks for consumers from changing business practices and ineffective disclosures on investment products, as well as what we expect regulated firms to do to deal with those risks. The work we are publishing today builds on that Report. “We carried out these reviews because we want to see that regulated firms meet high standards in how they design, manufacture and distribute complex investment products to retail investors. In particular, we want to see that complex investment products are designed with real investment needs in mind, that they are targeted only at investors with those needs and that the risks are properly explained. We are requiring firms to take action to improve their performance on each of these fronts, as well as highlighting good practices which we want to see emulated across the sector.” The letter requires regulated firms to take action to identify a sufficiently granular target market for SRPs and to drive improvements in the quality and transparency of disclosures to investors of the risks relating to these products. In particular:
The Central Bank expects firms to adhere to high standards of investor protection, acting in the best interests of investors at all times. We continue to monitor developments in the retail investment market, and the findings of these reviews and the expectations set out in today’s letter will be considered as part of future supervisory engagements. ENDS Notes to Editors
Source: Central Bank of Ireland, 22 April 2022
Back to Blog
This blog by Peter Oakes, Founder of Fintech Ireland and CompliReg. Peter qualified as a lawyer in Australia, the UK and Ireland. He is a director of a number of regulated innovative fintech and adviser to fintech and crypto firms and their professional service providers. Contact him here and follow him on Linkedin and Twitter (Fintech Ireland Twitter). A summary of this material appears at Linkedin here The first Irish regulated funds to take exposure to crypto-assets have been approved by the Central Bank of Ireland (CBI). The funds, both Qualifying Investor AIFs (QIAIF), will obtain indirect exposure to Bitcoin, by acquiring cash-settled Bitcoin Futures traded on the Chicago Mercantile Exchange (CME). Before you get too excited looking to by some of the digital asset via the QIAIFs note that this channel of exposure is RESTRICTED TO PROFESSIONAL INVESTORS. [NB: As recently as March 2022 the the Central Bank has issued a warning on the risks of investing in crypto assets]. We have provided further details about the regulatory crypto investing landscape in Ireland under 'Further Reading' below. Last month the CBI informed industry bodies that it had approved in principle at least one QIAIF with a low level of exposure to cash settled Bitcoin futures traded on the CME. The two unnamed QIAIFs are the first type of such funds to provide indirect crypto exposure and approved by the CBI. If you want your existing QIAIFs or you wish to establish a new QIAIF to obtain exposure to crypto assets, get in touch (details above). I am asked on a regular basis by institutional investors and professional investors how they can get exposure to cryptocurrencies and other digitalassets via regulated products. Unless you are able to gain direct exposure via a virtual asset service provider (VASP), the Irish QIAIF model (non-UCITS) might be your avenue. Note however that the CBI has said it is highly unlikely to approve a UCITS proposing any exposure (either direct or indirect) to crypto assets. Thus retail investors wanting crypto exposure in Ireland need to turn to VASPs/Exchanges direct. Through Fintech Ireland, CompliReg and the industry experts network, we know the lawyers, ManCos and depositories / custodians who can assist institutional/professional firms and funds promoters looking to gain exposure to the crypto markets. Further, if you are seeking a registration as a virtual service asset provider or authorisation as a MiFID, emoney institution or payments institution to provide services to institutional, professional and retail clients, check out our Authorisation Page. Further reading:
Question. Can a RIAIF or a QIAIF invest either directly or indirectly in crypto-assets? Answer. Crypto-assets are generally considered to be private digital assets that depend primarily on cryptography and distributed ledger or similar technology. However, the nature and characteristics of crypto-assets vary considerably. For example, crypto-assets that are tokenised traditional assets (whose value is linked to an underlying traditional asset or a pool of traditional assets (such as financial instruments or commodities)) may have a different risk profile when compared to other crypto-assets that are based on an intangible or non-traditional underlying. For the purposes of this Q&A “crypto-asset” is used to refer to the latter type of crypto-asset. The Central Bank must be satisfied that direct or indirect exposure to crypto-assets is capable of being appropriately risk managed. As of the date of publication of this Q&A, the Central Bank has not seen information which would satisfy it that direct or indirect exposure to crypto-assets is capable of being appropriately risk managed. Though crypto-assets do not all have uniform characteristics, the Central Bank has noted that they can present significant risks, including liquidity risk; credit risk; market risk; operational risk (including fraud and cyber risks); money laundering / terrorist financing risk; and legal and reputation risks. Taking into account the specific risks attached to crypto-assets and the potential that retail investors will not be able to appropriately assess the risks of making an investment in a fund which gives such exposures, the Central Bank is highly unlikely to approve a RIAIF proposing any exposure (either direct or indirect) to crypto assets. In the case of a QIAIF seeking to gain exposure to crypto-assets, the relevant QIAIF would need to make a submission to the Central Bank outlining how the risks associated with such exposures could be managed effectively by the AIFM. The Central Bank’s approach in relation to crypto-assets will be kept under review, continue to be informed by European regulatory discussions on the topic and may change should new information or developments emerge in the future.
Question. Can a UCITS invest either directly or indirectly in crypto-assets? Answer. Crypto-assets are generally considered to be private digital assets that depend primarily on cryptography and distributed ledger or similar technology. However, the nature and characteristics of crypto-assets vary considerably. For example, crypto-assets that are tokenised traditional assets (whose value is linked to an underlying traditional asset or a pool of traditional assets (such as financial instruments or commodities)) may have a different risk profile when compared to other crypto-assets that are based on an intangible or non-traditional underlying. For the purposes of this Q&A “crypto-asset” is used to refer to the latter type of crypto-asset. The Central Bank must be satisfied that assets in which a UCITS invests are capable of meeting the eligible asset criteria for UCITS and that indirect exposure to the assets is capable of being appropriately risk managed. As of the date of publication of this Q&A, the Central Bank has not seen information which would satisfy it that crypto-assets are capable of meeting the eligible asset criteria for UCITS or that indirect exposure to crypto-assets is capable of being appropriately risk managed. Though crypto-assets do not all have uniform characteristics, the Central Bank has noted that they can present significant risks, including liquidity risk; credit risk; market risk; operational risk (including fraud and cyber risks); money laundering / terrorist financing risk; and legal and reputation risks. Taking into account the specific risks attached to crypto-assets and the potential that retail investors will not be able to appropriately assess the risks of making an investment in a fund which gives such exposures, the Central Bank is highly unlikely to approve a UCITS proposing any exposure (either direct or indirect) to crypto assets. The Central Bank’s approach in relation to crypto-assets will be kept under review, continue to be informed by European regulatory discussions on the topic and may change should new information or developments emerge in the future.
Back to Blog
Bank of Ireland (BOI) cops a €24.5mn fine over its information technology service for the reason that "the impact of these breaches meant that had [note: “HAD” not 'did have'] a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services." Today’s announcement by the Central Bank of Ireland (CBI) falls in the week the CBI published its ‘Operational Resilience Finalised Guidance Paper’ arising from CP140 - Cross Industry Guidance on Operational Resilience. Speaking of timing, last week there was a well-publicised outage at Revolut which is seeking authorisation in Ireland as an emoney firm and, as previously raised by its founder, potentially a bank/credit institution authorisation in Ireland. It has a bank and emoney authorisations in Lithuania. The case is well worth a read by all regulated financial technology (#fintech) firms focused on emoney and payments and not just banks operating in Ireland. In particular, the statement should be read and digested by the large pipeline of emoney and payment services applicants. A number of points to call out include:
In the case of BoI, admitted five contraventions occurring between 2008 and 2019 – quite an extended period.
Being a INED of several regulated fintechs and financial services firms in Ireland, I thought this point in the publicity statement by the CBI was worth noting.
Read the statement issued by the Central Bank of Ireland on 2nd December 2021 below. Posted by Peter Oakes, CompliReg. Linkedin Post at https://www.linkedin.com/feed/update/urn:li:activity:6872160483626029056/ Statement issued by the Central Bank of Ireland on 2nd December 2021 On 30 November 2021, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (the Firm or BOI) €24,500,000 pursuant to its Administrative Sanctions Procedure (ASP) for failures to have a robust framework in place to ensure continuity of service for the Firm and its customers in the event of a significant IT disruption. These IT service continuity deficiencies were repeatedly identified from 2008 onwards but due to internal control failings only started to be appropriately recognised and addressed in 2015. The steps taken by the Firm to address the deficiencies were completed by 2019.
The Central Bank has determined the appropriate fine to be €35,000,000, which has been reduced by 30% to €24,500,000 in accordance with the settlement discount scheme provided for in the Central Bank’s ASP. The Firm has admitted five contraventions1 occurring between 2008 and 2019 including:
Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy. The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said “Today’s banks and financial services firms are wholly dependent on effective, reliable and resilient IT systems. It is vital that firms have a framework in place so that they can ensure continuity of critical IT services and minimise the impact of any significant disruption. "Without an effective IT service continuity framework, significant IT disruptions, particularly if they were to happen in a bank, could have a very serious impact on millions of customers who rely on ready access to their funds and services to keep their everyday lives and businesses moving. "From 2008 until 2019, BOI was in breach of key regulatory provisions regarding IT service continuity, arising from deficiencies that were repeatedly identified between 2008 and 2015 in third party reports. However, steps to address these deficiencies only commenced in 2015. "The extent and duration of these breaches were particularly serious given the ‘always on’ nature of the services BOI provides and how pivotal IT is to the entirety of its business operations. The impact of these breaches meant that had a severe disruption event occurred, BOI may not have been able to ensure continuity of critical services, such as payment services. Had BOI’s critical services been disrupted, this could have led to adverse effects on customers and the financial system. "This case is an example of robust enforcement action where failures expose consumers and the financial system to serious potential risk. The Central Bank expects boards and senior management of firms to implement and operate robust risk and control frameworks which recognise and address risk issues in a timely way as part of an effective risk culture. This is a core element of operational resilience designed to protect consumers and ensure financial stability.” BACKGROUND BOI is authorised to carry on banking business in Ireland as a credit institution under Section 9 of the Central Bank Act 1971. BOI is one of the largest banks in Ireland with 169 branches and over 2 million customers. Its principal activities consist of retail and commercial banking. BOI reported total operating income (net of insurance claims) for the year ended 31 December 2020 of €2,645 million. The European Central Bank (the ECB) is the prudential supervisor of BOI and works closely with the Central Bank as part of the Single Supervisory Mechanism (SSM).2 Under the SSM, the ECB has the power to ask national banking regulators to investigate issues that it has identified, and to take enforcement action where this is merited. In 2015, BOI’s Internal Audit raised concerns about deficiencies in BOI’s IT service continuity framework. In 2016, BOI commissioned an internal investigation into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report (completed in October 2017), which was provided to the ECB, identified a number of risk management and internal control failings in respect of BOI’s IT service continuity. In addition, the report identified failings relating to BOI’s management and oversight of its third party IT vendors and failings relating to its management body having access to information regarding the deficiencies in BOI’s IT service continuity framework. Following consideration of the report, the ECB determined that these issues merited further investigation. The Central Bank’s investigation commenced following a referral3 by the ECB in August 2018. From 2008, BOI’s internal controls in relation to IT service continuity employed a three lines of defence model, whereby:
The Central Bank’s investigation found that there were failings in each line of defence (as detailed further below). The failures in each line of defence culminated in an overall failure of this model in relation to the Firm’s IT service continuity framework. This is most clearly demonstrated in circumstances where IT service continuity deficiencies were not addressed, despite being repeatedly identified in third party reports, between 2008 and 2015. The Central Bank’s investigation found that BOI had in place second and third lines of defence which were meant to challenge and oversee the first line business unit responsible for IT service continuity. However, both the second and third lines of defence failed to ensure that the first line business unit was acting on the adverse findings of reports prepared by third parties, which had reviewed BOI’s IT service continuity framework. In addition, the second and third lines of defence failed, independently, to address and escalate the IT service continuity risks to which BOI was exposed. Ultimately, these internal control failings resulted in deficiencies in the Firm’s IT service continuity framework persisting for a prolonged period. This is particularly serious as the Firm’s reliance on IT was significantly increasing year on year, in common with the sector. In 2015 the Firm initiated steps to address the deficiencies in both its IT service continuity framework and associated internal controls. The Central Bank acknowledges that the steps taken by the Firm have resulted in an overall improvement in its IT service continuity framework and internal controls. Firms and their boards must have in place robust internal controls to ensure that their IT service continuity frameworks are maintained to a necessary standard. This enforcement outcome highlights the actions the Central Bank will take where firms cannot demonstrate that they are maintaining effective IT service continuity frameworks. PRESCRIBED CONTRAVENTIONS The Central Bank’s investigation identified five breaches relating to the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) (the 1992 Regulations) and European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) (the Capital Requirements Regulations) as set out below. Contravention 1 – Failure to have in place contingency and business continuity plans in relation to IT service continuity. From June 2008 to April 2019, the Firm breached Regulation 16(4)(b) of the 1992 Regulations and Regulation 73(3) of the Capital Requirements Regulations by failing to have in place contingency and business continuity plans with regard to IT service continuity to ensure the Firm’s ability to operate on an ongoing basis and limit losses in the event of severe business disruption. In particular:
Contravention 2 – Failure to have in place and maintain robust governance arrangements, including effective processes to identify, manage, monitor and report the risks that the Firm was exposed to and failure to have adequate internal control mechanisms. From June 2008 to April 2019 the Firm breached Regulation 16(3) (b) and (c) of the 1992 Regulations and Regulation 61(1) (b) and (c) of the Capital Requirements Regulations by failing to have in place and maintain robust governance arrangements including:
These governance failings led to the Firm’s failure to address the IT service continuity deficiencies as set out in Contravention 1. The Firm failed to have in place and maintain effective governance arrangements through its three lines of defence model regarding IT service continuity. As a result, deficiencies in the Firm’s IT service continuity framework were identified by third party reports prepared for the Firm but were not managed, escalated and appropriately dealt with by the Firm. This demonstrates a recurring failure that is indicative of poor internal controls and demonstrates an overall failure of the Firm’s three lines of defence model with regard to its IT service continuity framework, which arose due to the following:
Contravention 3 – Failure to have in place and maintain robust governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility. From June 2008 to April 2019 the Firm breached Regulation 16(3)(a) of the 1992 Regulations and Regulation 61(1)(a) of the Capital Requirements Regulations by failing to have in place a clear organisational structure with well-defined, transparent and consistent lines of responsibility in relation to IT service continuity. In this case, the first line business units were siloed, which resulted in an uncoordinated approach to IT service continuity with no consistent processes or procedures in place for managing and reporting IT service continuity requirements and risks. In addition, there was no well-defined, transparent and consistent second line function with responsibility for overseeing and challenging IT service continuity requirements and risks across the Firm to ensure that they were being adequately managed. The first line unit responsible for IT service continuity was identifying risks, however, due to the siloed nature of this unit, stakeholders within the Firm had limited or no visibility of these IT service continuity risks. This had the effect of excluding key stakeholders in the Firm from involvement in the assessment of prioritisation decisions regarding IT service continuity, which is a key area of operational risk. Contravention 4 – Failure to adequately develop a clear understanding of the roles, responsibilities, accountabilities and clear interdependencies between third party IT service providers. From June 2008 to December 2019 the Firm breached Regulation 16(4)(a) of the 1992 Regulations and Regulation 61(3)(a) of the Capital Requirements Regulations by failing to adequately develop a clear understanding of the roles, responsibilities, accountabilities and interdependencies between different third party IT service providers. Contravention 5 – Failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation. The Firm breached Regulation 64(13) of the Capital Requirements Regulations, from 31 March 2014 (when the requirement was introduced) until Q4 2015, by its failure to ensure that the Firm’s management body had adequate access to information on the Firm’s risk situation in respect of IT service continuity, which was a key area of operational risk. Specifically, the findings of third party reports which identified deficiencies with IT service continuity were not made available to the Firm’s management body. SANCTIONING FACTORS In deciding the appropriate penalty to impose, the Central Bank had regard to the Outline of the Administrative Sanctions Procedure 2018 and the ASP Sanctions Guidance November 2019. It considered the need to impose a level of penalty proportionate to the nature, seriousness and impact of the contraventions and the size of the Firm’s operations. The Central Bank also had regard to the need for deterrence. The following particular factors are highlighted in this case: The Nature, Seriousness and Impact of the Contravention Duration and frequency of the contravention
Serious or systemic weakness of the management systems or internal controls relating to all or part of the business
The impact or potential impact of the contraventions
The loss or detriment or risk of loss or detriment caused to consumers or other market users
The extent to which the contravention departs from the required standard
The Conduct of the Regulated Entity after the Contravention Mitigating: The following two mitigating factors, indicative of exemplary co-operation and self-reporting on behalf of the Firm, applied in this case:
The investigation found that, following concerns that had been raised by its Internal Audit in 2015 about deficiencies in BOI’s IT service continuity framework, BOI commissioned an internal investigation in 2016 (completed in 2017) into how the IT service continuity deficiencies had persisted from 2008 to 2015. The resulting report:
This assisted the Central Bank’s investigation, facilitated the review of documentation, and reduced the time and resources required to complete the investigation. The Previous Record of the Regulated Entity Aggravating:
Other Considerations
1. The fine imposed by the Central Bank was imposed under Section 33AQ of the Central Bank Act 1942. The maximum penalty under Section 33AQ is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater. 2. This is the Central Bank’s 145th settlement under its Administrative Sanctions Procedure, bringing the total fines imposed by the Central Bank to over €191 million. 3. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts. The penalties are not included in general Central Bank revenue. 4. The fine reflects the application of an early settlement discount of 30%, as per the discount scheme set out in the Central Bank’s Outline of the Administrative Sanctions Procedure 2018 which is here: link. 5. A copy of the ASP Sanctions Guidance November 2019 is available here: link. This guidance provides further information on the application of the sanctioning factors set out in the Outline of the Administrative Sanctions Procedure 2018 and the Inquiry Guidelines prescribed pursuant to section 33BD of the Central Bank Act 1942 (a copy of which is here: link). These documents should be read together. 6. In accordance with the SSM, the Firm became subject to direct supervision in prudential matters by the ECB as of 4 November 2014. 7. The European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended) were in force between 1 January 1993 to 31 March 2014; a copy can be found here: link. These were repealed and replaced by the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014) which are here: link. 8. On 13 September 2016, the Central Bank issued cross-industry guidance in respect of IT and cybersecurity risks that is available for download here: link. 9. The Firm has been the subject of four previous settlement agreements with the Central Bank, as follows:
Footnotes 1 Breaches of the European Communities (Licensing & Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992) (as amended)) and the European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014). 2 The Firm became subject to direct supervision in prudential matters by the European Central Bank as of 4 November 2014. 3 Pursuant to Articles 4(1) and 18(5) of the SSM Regulation (Council Regulation (EU) No 1024/2013). 4 Critical services are business services that provide a substantial banking or operational activity and are of such importance that any weakness or failure in the provision of these activities could have a significant impact on BOI’s ability to meet its regulatory and legal obligations and/or control over, or continuity of, its services and activities. They could also adversely impact on BOI’s ability to manage risks related to these activities. 5 A runbook describes how the Firm would continue to provide a service should an incident arise. A runbook would also contain procedures to begin, stop, supervise, test and restart a service/system. 6 Failover is a procedure by which a system automatically transfers control to a duplicate system when it detects a fault or failure. 7 End-to-end testing refers to a software testing method that involves testing an application's workflow from beginning to end.
Back to Blog
CompliReg is a leading provider of consultancy services to MiFID, Payments and Emoney firms. Our founder, Peter Oakes is an independent non-executive director of two Central Bank regulated MiFID firms, an emoney firm and a payments firm. Peter is a member of the Audit, Risk, Nomination, Remuneration and Internal Audit Committees of a number of firms. Read more about his NED services and CompliReg's services. UPDATE 22/04/2022: If below below on suitability requirements is of interest, then you should also look at our post of 22 April 2022 on the Central Bank's review findings on issues in marketing of complex investment products. Central Bank review finds firms providing investment services need to improve suitability assessments
The Central Bank of Ireland has published a Dear CEO letter outlining the findings of a review of investment firms’ compliance with the suitability requirements under MiFID II. The review was conducted as part of a Common Supervisory Action (CSA) coordinated by the European Securities and Markets Authority (ESMA). The purpose of the review was to assess firms’ compliance with the suitability requirements under MiFID II by simultaneously conducting supervisory activities throughout the EU/EEA. The findings, which are highlighted in ESMA’s recent public statement, incorporate the findings from the Central Bank’s own supervisory analysis, and engagement with other National Competent Authorities (NCAs). When providing investment advice and/or portfolio management, Firms are required to take all reasonable steps to ensure that a client’s investments align to their objectives and personal circumstances. This is a key measure to protect investors from the risk of purchasing unsuitable products. The review identified evidence of positive practices, particularly where firms took a personalised and comprehensive approach to suitability assessments for their clients. However, it also identified instances where further action is required by firms. For example:
The Central Bank will continue to engage with firms where specific supervisory actions have been imposed, which require firms to take specific action on foot of our findings. In addition, the Central Bank is requiring all Irish authorised MiFID firms and credit institutions, who provide portfolio management and advisory services to retail clients, to conduct a thorough review of their individual sales practices and suitability arrangements. This review must be documented and must include details of actions taken to address findings in the ESMA public statement and this letter. This review should be completed, and an action plan discussed and approved by the board of each firm, by end of Q1 2022. Director of Consumer Protection, Colm Kincaid, said: “Investing in an unsuitable investment product can lead to unexpected losses, which can have devastating consequences for individual investors and their families. Regulated firms play a key role in protecting consumers against this risk. “However, the findings from this review show that regulated firms need to improve their performance when it comes to assessing the suitability of investment products they recommend or advise consumers to purchase. These assessments must be of high quality, based on a good understanding of the customer’s circumstances and capacity for financial loss, and properly documented.” Source: Central Bank of Ireland, 01 December 2021 |